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Inis  pa^er  introduces  a  mathematical  framewors  for  evaiuatin0 
tue  relationship  between  policies  ana  mecnanisms.  in  evaluation 
approach  called  tue  assignment  technique  is  defined.  Inis  tech- 
corioi^^i?  oi  0stiu.u xiSAin^  cxu  !ibo i n't  0€V*&tin  oduun Zj 

Classes  of  information  estaolisned  by  policy  constraints,  and  tne 
protection  domains,  estaolisned  by  the  properties  of  tne  mechan¬ 
ism.  Ine  assignment  tecnnique  provides  a  tneoretical  foundation 
for  assessing  tne  sufficiency  of  an  access  control  mechanism  with 
respect  to  a  well  formed  protection  policy.  Althougn  this  paper 
presents  preliminary  results  of  research,  tne  proposed  framework 
suggests  a  promising  new  approacn  for  evaluating  tne  protection 


mecnanisms  of  existing  and  proposed  systems. 


A" '  rn *  on  For 

'  ;r.:  r-rtsd 

'.-'.'.need 

J  : '  i.  float  ion_ 


r  L'-'.-r;  but.  ion/ 
Availability  Codes 
l/.vnil  and/or 
hint  !  Special 


i..  I  Rox)  J  Ci  Ion 


The  suitability  of  a  protection  mecuanism  for  any  given  secu- 


ritj  policy  is  not  always  apparent.  Inis  paper  presents  a 
tneoretxcal  foundation  for  assessing:  tne  sufficiency  of  an  access 
control  mecuanism  as  a  means  of  enforcing,  a  non-aiscretionary 
securitj  poxxey.  «  technique,  termed  assignment,  establisnes  a 
relationship  between  tne  iniormation  sensitivities  of  the  system 
entities  ^partioneo  according,  to  policy  constraints),  ana  domi¬ 
nance  domains  (innerentiy  established  oy  a  protection  mechanism). 
Ine  assignment  technique  provides  a  method  for  mechanism  valida¬ 
tion,  since  the  results  of  the  assignment  can  be  evaluated  to 
establish  whether  or  not  tne  constraints  of  the  policy  are  met. 


1’he  assignment  technique  was  developed  as  a  means  of  identi¬ 
fying,  the  limitations  of  well-formed  access  control  mechanisms. 
Ine  initial  investigation  examined  tne  feasibility  of  using  the 
I'.uiiics  ring,  mechanism  [15]  as  a  means  of  enforcing  a  hierarchi¬ 
cal  compromise  policy.  Our  basic  ..ational  security  policy  [5]  is 
a  well  anowd  example.  it  was  established  oy  assignment  (as  is 
snewn  in  tnis  paper)  that  tne  Ruitics  ring  mechanism,  of  itself, 
cannot  provide  this  security.  on  the  other  har.u ,  it  is  snov»r. 
tnat  tne  ivultioa  rin0  mechanism  does  enforce  an  important  form  of 
program  ii.tefcrit./  policy.  This  program  inte^ritj  mecnanistn  can 
be  used  to  delimit  a  most  privileged  set  of  programs  known  as  the 
security  kernel  L 1 1 j .  The  security  kernel  in  turn  provides  a 
mecnanism  sufficient  to  enforce  other  security,  integrity  or 
access  control  policies.  Thus,  witn  the  security  kernel 
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teounoioesj' ,  t;ne  rin^,  .-sec  a  an  is  a  is  sufficient  for  caiorcin^  com— 
;-uSer  security.  By  usin0  asdi6iment,  we  nave  taineu  a  sucn 
setter  unaerstenuin^,  of  tue  capaoixities  ana  limitations  of  a 
rin0  protection  mechanism,  and  have  introduced  a  tool  for  the 
assessment  of  other  protection  aecnanistuo. 
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r'lwl  ^  g  nwolu.i  T 

In  orcer  to  clearly  present  the  assignment  technique  we  begin 
with  a  discussion  of  tne  principles  of  access  control.  Inis  is 
necessary  oecause  mucn  of  tne  information  published  in  this  area 
appears  to  be  imprecise  or  even  contradict ory  in  nature.  Gome  of 
tne  terminology  usea  in  tnis  paper  say  also  appear  to  contradict 
other  authors.  Inese  differences  ana  uistinctions  are  inten¬ 
tional  ana  will  oe  discussed  in  greater  detail  in  an  anticipated 
thesis  l  1-Tj  by  at.  Shirley.  Inis  paper  merely  addresses  the 
basic  frameworx  which  we  choose  for  our  discussion. 

lattice  Security  Policies 

A  security  policy  is  oaseu  upon  external  laws,  rules,  regula¬ 
tions  ana  otner  mandates  that  estaoiish  what  access  to  informa¬ 
tion  is  to  be  permitted.  we  choose  as  our  universe  of  discourse 
tne  lattice  security  policies  as  identified  by  '..alters  [15]  and 
later  also  described  by  leaning  [5j.  These  universally  bounded 
lattice  structures  consist  of  finite,  partially  ordered  sets  of 
access  classes,  each  naving  a  least  upper  anu  greatest  lower 
bound.  Tnis  class  of  policies  encompasses  many  (if  not  ail) 
practical  policies.  ouen  policies  are  of  primary  interest  to 
..ationai  defense  because  all  non-aiscretionary  security  policies 
can  oe  represented  as  a  lattice  policy.  To  be  effective,  such 
policies  must  clearly  establisn  an  access  class  for  ail  system 
entities,  i.e.,  subjects  \,tne  active  entities)  and  objects  (the 
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passive  entities  tnat  may  be  reierenced  by  a  subject),  further- 
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»iOr^ r  poi  1  Cj  mast  iaen „iiy  aix  permissicie  dcc^ss  r dxtit i^ri3 
oet*een  t:ie  oucjccta  una  objects  of  various  equivalence  classes. 
* f  a  j-oiiGj  «ere  not,  acie  to  meet  tnese  two  requirements,  the 
eni orceitent  01  tne  policy  could  i,ot  ce  cvuiuut6d , 


i.ote  t:iat  we  distinguish  Let.een  processes  and  subjects 


ii  1 3  a t?  I  •  j,  *1X3 

is 

necessary 

because  of  the 

ambiguity  that 

. r0oui  t  without 

tne 

distinct 

notion  of  a 

s  u  o  j  ec  t  as  a 

Tocess-uosiain  pair 

l?. 

luj,  particularly  when  we 

present  a  for- 

malizea  definition  of  a  domain. 

/.ccess  Relations 

any  specific  policy  will  distinguish  one  or  core  distinct 
access  relations  between  suojects  and  oojects.  Tnese  are  typi¬ 
cally  mirrored  in  trie  "access  mode"  of  tne  corresponding  protec¬ 
tion  mechanism. 

Two  generic  access  codes  are  sufficient  for  a  general  discus¬ 
sion  of  tne  principles  and  policies  discusseu  in  this  paper. 
Tnese  are  t.7j  "ocserve"  {the  ability  to  observe  information)  ana 
"moaiiy"  i.tne  aoiiity  to  codify  information)  .  Otner  primitive 
access  moaes  are  aeneraiiy  just  a  finer  granularity  of  observa¬ 
tion  ana  modification  priviiedges. 

Tne  eniorcement  of  a  policy  is  fundamentally  limited  by  the 
system's  granularity  of  access.  Policies  that  prescrice  aistinc- 
tion3  not  recognizee  by  the  access  control  mecnanisms  must  be 
enforcea  in  an  overly  restrictive  manner  or  i0norea.  for  exam- 
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-ic,  a.  policy  addressing  a  concatenation  access  relation  cannot 
uc  precisely  enforced  on. a  system  that  does  not  recognise  some 
fora  of  append  access  toae. 

I'nc  granularity  of  access  control  within  a  system  is  depen¬ 
dent  upon  tne  anility  to  distinguish  attributes  of  subjects  ana 
oc0ects  ana  upon  tne  variety  of  access  modes  availacle.  Tne 
primitive  access  modes  are  associated  witn  tne  design  of  the  sys¬ 
tem,  including  tne  protection  mechanisms,  and  designate  the  asso¬ 
ciated  rights  outained  oy  an  access  request. 

nil  access  relation  is  a  tuple  (  suoject,  access  mode, 
ooject ) .  Tnis  tuple  signifies  tnat  a  relation  oe tween  the  subject 
and  ooject  exist  such  that  tne  subject  is  permitted  to  access  tne 
oo0ect  witn  all  the  privileges  associated  with  tne  access  mode. 
Tne  proolem  of  information  security  may  generally  be  expressed  as 
tne  problem  of  permitting  tne  existence  of  only  those  access 
relations  tnat  in  no  way  violate  any  of  the  applicable  systems 
policies . 

sasic  national  security  Policy  Example 

Tne  oasic  ..ational  Security  policy  is  a  simple  lattice  pol¬ 
icy.  Tne  t-oiicy  defines  entities  as  members  of  one  of  four 
aierarcntcal  access  classes  imJ  ,  iv i*..  . i^i^,  , 
Tv?  JmonmT ; .  Tne  greatest  lower  bound  is  Ih.dLAGSli lEu  ana  the 
least  up*.er  bound  is  To?  oEvh^T.  figure  1(n)  represents  this 
lattice  structure. 
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i i^ure  1 


: i6ur«  1 v3)  snows  tne  information 


l  lo:n  cnaracterxstics 


t;iis  lattice  ^oiicy  j_  j  j .  Inis  information  transfer  patn  L 1  ?  j  can 
be  analysed  witn  respect  to  perxissioie  access  relations. 

cased  on  tnis  anaxjsis  ox  tine  permissible  access  relations 
between  ^subjects  ana  oo^ects  with)  the  various  access  classes, 
we  derive  an  alternative  illustration  form  tnat  is  convenient  ior 
our  analysis.  li^ure  1(C)  illustrates  the  basic  ..ational  Cecu- 
rity  policy  usin6  tnis  fora,  ‘iiote  tnat  a  none  represents  an 
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equivalence  class  of  entities  ail  ox  whicn  nave  the  sane  access 


permiss  i  lie 


directed  arc  represents 


tile 


access 


recall  taut  a  system  is  "secure"  ix'  there  are  no  access  rela¬ 
tions  that  violate  a nj  applicable  policy.  Tne  Jisple  security 
Jonaition  [1  j  states  that  if  ocserve  access  is  permitted,  then 
tne  access  Cj.uss  of  tae  subject  is  greater  than  or  equal  to  the 
access  class  of  tne  ocject.  Tne  "Confinement  Property"  —  his¬ 
torically  inown  cy  the  less  descriptive  name  of  *  -  Property  [1 j 
—  states  that  if  modify  access  is  permittee,  tnen  the  access 
class  of  tne  subject  is  less  than  or  equal  to  the  access  class  of 
tne  ooject.  .<e  can  see  that  figure  1^0  is  derived  directly  from 
tnese  two  properties. 


aCC63S  i/0L{jin3 

Jo  far,  we  have  concentrated  on  tne  properties  of  policies. 
.*e  now  examine  tne  properties  of  the  protection  mechanisms  used 
to  enforce  security  policies.  The  principle  notion  we  u36  is 
that  or'  an  access  domain. 

nil  access  domaip*  y  is  a  ta^^e  y  (  t  a^  i  •  •  •  »  a^  t  •  •  •  »  a^ 
jf  wnere  n  is  the  number  of  yricitive  access  modes  in  the  system, 
iiUu  d;  i  o  u  *.  i  tf  aet  Ox  a  x  i  oou  ec  oo  ,  I  c  |  y  ■*  j  ■  •  •  ^  c  ;  ^  •  •  •  $  | 

m  i  £m  0  ... 

wi.icn  a  process  executing  in  domain  A.  may  access  by  access  mode 


ic  o  ^  ci  Ixtk. 


an  vuccess  L.oae  ) -detain 


iO  o  I  ;  w  Li  tf  « 


‘rtlllCii  ia.  L 


iXtjaaiii.^,  in  that  domain  nas  the  rip.nt  to  acce 


u.cc -rail.;,  to  ' ;iat  ^articuxnr  access  toae. 


.oiioiut  r  v!.t3  i.  oixOw  VmO  ao^aiiio  : 
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hie  observe-aomain  of  *,  denotea  as  uAi  )  is  objects 


i3,  ana  b.  fne  moa 


ify-aomain  .vA?  is  empty. 


A  set  of  dominance  aomains  are  implicitly  established  by  the 
system's  protection  mecnanisms.  Tne  dominance  aomains  are  not 
associatea  with  any  particularization  of  processes  ana  objects, 
but  ratner  dominate  all  the  domains  that  may  occur  in  the  sys- 


iioninance  aomains  may  be  uniquely  labeled  for  convenience. 
j.n  tne  i.ultics  system,  for  example,  the  dominance  aomains  esta- 
oxisned  by  tne  rin&  mecnanism  were  known  as  rints  anu  were 
iaceiea  by  riii0  numoers.  behreeaer's  protection  mecnanism  also 
uses  numoers  as  lacels  for  dominance  aomains 

de  saj  tnat  dominates  ^  of  )  \  ^  iff  for  each  a^,  a,- Ay 
S.  •  Tne  systems  protection  mecnanism  then,  establishes  a 
3et  of  dominance  uomains  wnich  we  can  use  for  validation  of  pro¬ 
tection  mecnanisms.  because  tnese  domains  dominate  all  other 
aomains  tnat  may  occur  in  the  system,  if  we  can  show  tnat  our 
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policy  iiuiiio  i or  tuese  domains ,  we  nave  snown  tnat  it  nolus  t'or 
t:ic  system. 

*n  tnis  ^aper,  we  cuuose  to  consider  only  protection  necnan- 
isms  wnicn  estaoiisn  a  universally  bounded  lattice  of  dominance 
domains.  Jucn  meenanisms  represent  an  interesting;  sunset  of  pro¬ 
tection  meenanisms  and  provide  simplicity  in  tnis  discussion. 

fne  nssi^nnent  lecnnigue 

assignment  is  tne  establishment  of  a  relationship  between  two 
entities  sucn  that  tne  first  entity  is  "assigned  to"  the  second 
entity.  Iiatnematicaliy ,  the  term  assignment  is  not  significant, 
one  could  easily  nave  said  that  entity  1  is  related  to  entity  2. 
Intuitively,  nowever,  assignment  is  associated  with  the  connota¬ 
tion  "to  fix  authoritatively"  wnicn  precisely  signifies  our 
notion  of  tnis  ..recess. 

nssignment  may  ce  denoted  by  a  grapn  from  the  first  entity  to 
tne  second  as  follows: 

- > 

is  assigned  to" 

nssignment  does  not  alter  eitner  entity.  Rather,  a  reiation- 
snip  between  tne  entities  is  established  wnich  can  be  expressed 


in  the  form  of  a  tuple  as  follows 
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nvvuOu  a*  t\  kj 

ft.  J  Vv  ^  Wpll.h*.! 

"is  assigned  to" 

.ic6aralc6d  of  tne  means  of  representation,  assignment  is  -ereiy 
tne  act  of  associating  an  entity  or  set  of  entities  -.vita  some 
otter  entity  or  set  of  entities. 

Tne  essence  of  tne  assignment  technique  is  relatively  simple, 
first  of  all,  consider  tne  nature  of  a  lattice  security  policy. 
Jucn  a  policy  partitions  the  objects  of  a  system  into  a  lattice 
of  equivalence  classes,  each  equivalence  class  can  ue  thoufant  of 
as  an  entity  subject  to  assignment. 

T n e a  consider  a  mecnanism,  wnicn  estaclishes  a  lattice  of 
dominance  domains.  Zach  of  these  domains  can  also  be  thought  of 
as  an  entity  subject  to  assignment. 

Zince  an  assignment  can  be  estabiij.ned  between  any  two  enti¬ 
ties,  we  can  maae  an  assignment  between  the  equivalence  classes 
estaoiisneu  oy  a  lattice  security  policy  ana  the  dominance 
domains  tuat  are  estaoiisnea  by  some  protection  mechanism.  e 
t.icu  validate  tuat  \fur  tnis  assignment)  tne  mecnanism  is  suffi¬ 
cient  to  support  that  policy.  This  determination  is  made  by  exa¬ 
mining  tne  set  of  access  relations  tnat  tne  mecnanism  permits, 
ana  testing  for  ^ossicle  violations  of  the  policy. 

.ie  are  now  ready  to  illustrate  now  we  may  use  this  assignment 
teennipue  to  evaluate  protection  mechanisms  used  in  the  design  of 
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secure  computer  systems. 


..i.e  usexuiticss  oi  tne  assignment  tecnniuue  appears  to  ce 
ratner  far  reacning  in  scope.  Researcn  currently  underway  is 
investigatin0  a  number  of  possibilities.  Inis  paper  addresses 
only  a  few  of  tne  possible  applications.  1'he  authors  wholeheart¬ 
edly  invite  tne  reaaer  to  surest  areas  of  further  researcn. 
additionally,  comments,  opinions,  and  researcn  findings  related 
to  tne  assignment  teennique  are  solicited. 

nultics  riinp;  Mechanism  Assignments 

The  question  of  the  sufficiency  of  tne  Muitics  Ring  ..ecnanism 
for  enforcement  of  tne  basic  ..ational  security  policy  was  the 
initial  problem  that  prompted  the  current  researcn  effort  ana  led 
to  tne  formulation  of  tne  assignment  tecnnique.  it  is  appropri¬ 
ate  tnen,  tnat  tuis  paper  present  tuis  analysis  as  an  introduc¬ 
tory  application  of  simple  assignment. 

Compromise  Policy .  «s  stated  previously  in  tnis  paper,  the 
oasis  ..ational  security  policy  is  a  simple  lattice  security  pol¬ 
icy.  Figure  KC)  illustrates  this  policy. 

Tne  dominance  domains  of  tne  Plultics  Ring  mechanism  are  most 
frequently  snown  as  concentric  rin6s  numbered  in  increasing 
integer  order  from  tne  innermost  ring  or  tne  kernel.  The  kernel 
j.s  generally  assi&nea  ring  number  o .  For  simplicity,  we  only 
snow  a  system  with  rings  C  thru  3  in  tnis  anaxysis.  Otner  rin0 
numoers  will  produce  similar  results. 


I 
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process  wnicn  is  executing  in  riab  number  1  would  need  to  be 
oiearea  lor  at  least  os.vJn.i'2  inf  o  mat  ion  according  to  our  as3ign- 
teiit  soneme . 

..id  .-.ultics  Ring  ..ecrianisii  aiscr iitiriates  among  objects  by 
means  of  a  rin^  bracket.  2ne  rinb  bracket  is  a  3  -  tuple  t,  R1 , 
Rm ,  'tij )  wnere  .\1  ,  R<_  ana  .o  are  rinb  numoers  ana  ul  <_  Rs  <_  Rx  . 
.access  tc  objects  is  restricted  sucn  t.nat  tne  current  rinb  of 
execution  must  oe  less  tnan  or  equal  to  Rc  to  ooserve  information 
ana  less  than  or  equal  to  HI  to  modify  information,  figure  3 
snows  cnaracteris t ica  of  tne  ring  brackets  both  in  terms  of  the 
access  moaes  used  in  tnis  paper  and  the  access  modes  used  in  .lul- 
tics . 


Zxecute 

i Ring  u  _ _ _  *7111 

.■rite  ynOQify  )  _ 

i\eaa  i^woserve; 

figure  3 


buusiuer  tnen  an  object  that  is  classified  as  JZCRZ2.  3ucn 
an  object  mu3t  be  assigned  a  ring  bracket  sucn  that  it  may  be 
observeu  by  processes  in  ring  v  and  ring  1  only.  R«_  must  there¬ 
fore  oe  1  •  n  proolem  now  becomes  apparent.  ..o  matter  wnat  value 
we  cnoose  for  HI,  we  are  faced  witn  a  contradiction.  If  R1  is  J 
or  1  then  2oP  JZCn.i.2  processes  may  modify  sZCRZ2  files  violating 
tne  confinement  Property.  If  HI  is  greater  th jn  1,  tne  restric¬ 
tions  of  the  rinb  mechanism  would  be  violated  (viz.,  nl  >  Ru ) . 
Inerefore,  we  can  conclude  tnat  tnis  assignment  is  not  aeeept- 
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uv.'isiaer  now  the  only  stner  potential  assignment  scneme  waer 
ne  greatest  lo*er  bounu  ol‘  cur  lattice  is  assignee  to  ring.  ^ 
tie  assignment  urouucea  is  snown  in  Figure  4. 


r  ig.ure 

,<e  now  attempt  to  assign  ring,  brackets  to  an  object  classi 
lied  Jwvuii .  A  problem  occurs  immediately.  We  want  prccesse 
executing,  in  ring,  a  to  be  able  to  observe  our  objects,  bu 
then  a  process  in  r  i  n  ^  yj ,  that  is  UiAiinboit  ,  w i u  1  also  be  a  o  a 


o  oo serve  our  ooject 


i’ne  Jimple  Jecurity  Condition 


cannot 


v»  i  w  ri  tin  is  oiss  so  trie  3ls 3 1  n  n  e  n  i  sch^ud  is  no  ti 

1  cciS  1  Uxe  • 

oince  neitner  ox  tncse  assignments  are  acceptable,  ani  shift- 
in0  cue  riu0  ass ifcnments  numerically  would  j  ield  similar  results, 
we  can  see  tnat  no  assignment  will  be  acceptable.  Tnerefore,  the 
r.uitics  Ein&  iiecnaniam  is  not  sufficient  tc  enforce  the  basic 
national  security  policy  for  compromise. 

Tne  basic  national  Integrity  policy  [Ij  is  tne  dual  of  the 
basic  national  security  policy.  '..’he read  the  security  policy  is 
concerned  with  the  unauthorized  observation  of  information  or 
compromise,  the  integrity  policy  is  concerned  with  the  unauthor¬ 
ized  aodificat icn  of  information  or  sueversion.  Tne  assignment 
teennique  snows  us  tnat  tne  hultics  Ring  hecnanisn  is  not  suffi¬ 
cient  to  enforce  tnis  dual  policy  either. 

Ine  hultics  xing  mechanism  is  not  sufficient  to  enforce  the 
oasic  national  security  policy  nor  the  oasic  national  Integrity 
policy,  however,  a  Muitics  Security  kernel  has  been  designed 
L 1 1 j  that  is  sufficient  to  support  noth  of  these  policies.  Shis 
may  seem  to  be  a  contradiction,  but  it  is  not.  Ine  confusion  is 
dissipated  wnen  one  asks  tne  question,  "..nat  form  of  policy  aces 
tne  uultica  Rinfa  necnanisa  support?" 

Program  Integr i ty  Policy .  The  notion  of  a  program  integrity 
policy  steins  from  tne  desire  to  prohibit  modification  of  execut¬ 
able  programs  by  less  trustworthy  subjects.  In  tne  feeneral  sense, 
wc  wish  to  ensure  that  our  more  sensitive  programs  are 
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wdiiiLt  ci  3  x  r  i  ct*  iiiu0ori^y  p  o  x  i  cy  ,  in  clever » 

0rci^  ir.ceL,ri  wj  is  not  concerned  witn  trie  issue  ox*  ^cnerax  o  c  3  e  r  - 
veit ion  ox  indorsation.  iataer,  prosras  integrity  oeaio  only  /-it n 
execution  ana  soaiiicat  ion .  In  this  case,  we  rei'ine  trie  access 
-owe  "obocrve"  to  tnat  of  "read/  execute”  access  code,  taken  in 
One  sense  of  tr.e  general  vernacular. 

n.  program  integrity  policy  must  consider  two  issues.  first, 
eacn  entity  witnir.  tne  system  must  nave  a  program  integrity 
access  class,  desifenatea  PI,  assignee  to  it.  deconu,  the  order¬ 
ing  01  program  integrity  access  classes  must  be  fixed  according 
to  tr.e  constraints  of  tne  policy  maker.  ^nce  tr.ese  issues  are 
resoiVcd,  we  may  guarantee  tnat  no  direct  threat  is  possible  by 
enforcement  of  tr.e  following  condition: 

~  inpie  1  ro,3rac  ir.tg,,r  i  ty  Condition  :  If  a  subject  has 
"modify"  access  to  an  object,  tnen  the  program  integrity  of 
tne  suu0ect  is  greater  than  or  euual  to  tne  program 
integrity  of  tne  object. 

oecause  program  integrity  policies  are  concerned  with  tne 
execution  issue,  indirect  modification  of  information  is  not 
strictly  pronicitea.  Inis  provides  a  certain  degree  of  flexibil¬ 
ity  but  also  produces  a  certain  amount  of  risx  i_oj .  confinement 
of  execution  nelps  to  reduce  the  risk  of  suen  an  indirect  threat. 
Inc  indirect  tnreat  occurs  when  a  subject  executes  a  program  tnat 
nas  oeeri  modified  by  anotner  less  trustwortny  subject.  we  can 
furtner  see  tne  usefulness  of  confinement  in  a  program  integrity 
puli cy  by  noting  tnat  this  property  supports  tne  use  of  library 
function.  In  a  manner  directly  analogous  to  that  for  the 
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..atioi.ai  integrity  policy  L<.j,  ue  define  the  confinement  property 
tor  program  integrity  as  follows  : 

Program  Integrity  upnf  ir.ement  Property  :  h  a  subject  has 
execute  access  to  an  oc0ect  t:icn  tue  program  integrity  of 
tne  ooject  is  greater  t.nan  or  equal  to  the  program  integrity 
of  tne  suoyect. 

lue  cnaractor istics  of  an  example  program  integrity  policy  in 
terms  of  access  mode 3  is  snown  in  Figure  5-  oucr.  a  policy  is 
inherently  a  lattice  policy. 


figure  p 


consider  now  a  specific  program  integrity  policy.  According 
tc  tnis  policy,  entities  are  partitioned  into  one  of  four  access 
classes  designated  as  -ser ,  Supervisor,  utility  or  Aernei.  Pne 
sensitivity  of  these  access  classes  is  specified  as  :  .-.erne!  > 
bu^ervisor  >  utility  >  user.  ne  then  consider  an  assignment  to  a 
. laities  Tin*,  structure  as  snown  in  Figure  o. 


2b 


oi  unj  inva^iu  rei^uon  n i tn  respect  to  this  •■ol i Cj' • 

icr  tills  ioaifc;io«fit,  violations  are  possible.  Ynerefore,  w« 

nave  3 r. c  .*  n  tnat  tne  .lUitico  usc.iani is  suiiicient  to  sup¬ 

port  tnis  ?ro0ram  Integrity  policy. 

inis  issue  ox'  what  form  of  protection  tne  hultics  line 
-•iccuaiiisa  proviues,  appears  to  be  precisely  the  issue  that  bull, 
Jones  and  tne  other  aesigners  of  the  "RYDRA"  system  were  attempt- 
xn0  to  -.naerstana  ilbj.  They  introauce  their  discussion  oy  first 
sayin0  : 

"Protection  is,  in  our  view,  a  mechanism."  [ibj 

Yaeir  uiscussion  tnen  proceeds  to  maxe  the  following  general 
statement  relative  to  tne  liultics  rin^s: 

w j r  rejection  Ji  hiera-cn^ca^.  o y s v e  — .  Si-ruc^ureo  j-n^- 
especialiy  ones  whicn  employ  a  single  hierarcnical  relation 
for  all  aspects  of  system  interaction,  is  also,  in  part,  a 
consequence  of  the  distinction  between  protection  anu  secu¬ 
rity.  n  failure  to  distinguisn  these  issues  coupled  with  a 
strict  hierarcnical  structure  leaas  inevitably  to  a  succes¬ 
sion  of  increasingly  privileged  system  components,  and  ulti¬ 
mately  to  a  "most  privileged"  one,  wnicn  gain  tneir 
privilege  exclusively  by  virtue  of  tneir  position  in  the 
nierarcny.  Sucn  structures  are  innerently  wrong  ..."  [ 1 6 j 

..aa  the  assignment  tecnnique  been  available  to  the  authors  of 
tne  above  statement,  they  would  nave  been  afforded  a  means  of 
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wAr -acir  vis w c  i*crs  ~rt20idt?.*.y  otiHri  eric  icuou3  *.:irnde 

’*  i :;;;creri sly  w ron/11 .  Tae  nddi^nnient  oecnni.jue  rrcv ;xe3  _i  irscije 
*.*cniid  xor  cxccii*Xy  icriaul.ct'wiii.AZ  ducn  h*i  ocscrvHoion  n*w  i r. 0 

i  wi  Viixiviioj  •  .-vd  oiiLrVjd}  cifisi  in  bL^r ti  wi~ii  uii 1  3  *>  > 

:;.c  .lu.uico  .\ia0  **ecaanisn  id  " inherently  w ronc: "  witn  rejiec;  tc 
cox^roaiidti  jOi-icico.  -a  tne  otner  i.unn,  tne  i-.'iiiica  i ..ecnan- 
i aa  is  Uust  n r  x  pen  t H  as  a  means  ox*  cnxorcxn^.  a  proyrax  integrity 
-.Caicy  or  assisting  in  tne  enforcement  ox  tne  system's  r.or.- 
r.ierarcnical  security  policies  1  via . ,  via.  security  kernels  > . 

^  trie r  ain^  Median  iscs 

Ine  ..uitics  ain^  ..ecnanisi  is  cy  no  means  tr.e  only  form  ox 
.vino  .-.ecnanism.  ay  altering  tne  re^uirexents  ox'  the  .a i n^;  araeix- 
cts  ami  trie  need  ior  a  jate  weeper,  one  can  contemplate  adapting 
x.i  ririt,  uecnaniscs  to  meet  other  simple  hierarcnical  policies. 


Jonsiuer  usin&  tne  assignment  snowr.  in  .  i^ure  2,  but  altering 
t..e  means  oX  discrimination  axor*^  oojects  such  that  tr.e  ain<r 
oracriet  is  a  si:v0leton  (n.1  )  .  following  tne  rules  snosn  in  -il- 
ure  /  ,  'm e  can  adapt  tnxs  rxnfe  xecnunxsm  to  enxorce  tne  oasic 
.•ntxcnni.  ^  e  c  h  r  i  o y  o ^ i c y  • 
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nrn 


.  oser ve 

r i0ure  7 


.imiaari y ,  .’impure  o  snows  tne  rules  necessary  xor  tne  same 
ns  otic  w ii  in  *  i^ure  <—  to  nc.ci.pt  tnis  r i mecticini s t.  tc 


Hod  i^nnient 


j  ij-re 


ana 


meet  uuc  udoic  iiaiioiidj.  «.  n  i  e  jjr  i  t  y  policy*  —  xumining 
*  c ,  tne  a  uai  nature  ox  t  n  e  s  e  two  pouicies  i  j  ap^aren«  * 


_ observe _ 

lw^‘- _ EHJ  ^ 

.ioa  i  fy 

iibure  o 

2o  oe  oufi,  these  oriei  su^estiuns  ao  not  completely  charac¬ 
terise  a  practical  protection  mecnar.ism .  however,  it  appears 
tnat  ring  mechanisms  are  auaptaole  for  the  enforcement  of  various 
simple  nierarcnicai  policies. 


Japabiiity  ■•.ecnanisms 

Oonsideraole  effort  is  currently  underway  to  provide  Provably 
secure  operating  Jystems  based  upon  the  capability  mechanism 
it  is  important  to  exam me  w  n  a  t  , oim  of  protection  c ap a- 

id-G  X»\a.  'd.  m.  j  £*FQVi,ble* 

ba-aoiiity  mecnanisms  primarily  establish  two  dominance 
uomains  which  are  enforced  by  the  system  hardware.  me  aomain 
consists  of  capaoiiities ,  ana  the  other  is  objects  that  are  not 
ca^aoixities  sucn  as  segments  and  directories.  p^rocess  taxes 
no  .note  of  tnese  dominance  domains,  however,  because  all 
processes  nave  access  to  capabilities  as  well  as  otoer  types  of 
selects.  go  wit n  respect  to  a  process,  tne  ca^.acilit^  mechanism 
^reviles  no  inherent  partitioning  of  the  system  entities  at  all. 
i n  fact,  in  trying  to  determine  tne  structure  of  dominance 
for  non-capao i 1 i ty  objects. 


d-r 


uOuitilllo 


we  encounter  j.  veri^a^Ie 


P""U  .1 


«  •  «  -  ■  o  —  .  • 

-Up  ^  X  WitO 

nS3ifcnueni  nas  been  snown  to  be  a  useful  technique  in 
evaluating  the  sufficiency  or  a  mechanism  to  enforce  a  security 
policy,  'inis  tccnnigue  is  cased  upon  a  formalized  notion  of 
domains  ana  tne  lattice  nature  ex’  security  policies. 

Inis  method  proviaes  consiaeraoie  insight  into  the  nature  of 
access  control.  Characterizing  a  subject  as  a  process-domain 
pair,  we  observe  that  non-discret ionary  protection  is  dependent 
only  upon  tne  dominance  domains  estaolisned  by  the  systems 
mecnanisms  and  tne  access  relations  between  these  domains.  Ihe 
nature  of  tne  computation  is  irrelevant.  Furthermore,  one  can 
ooserve  that  any  protection  policy  can  only  be  implemented  on  a 
computer  system  which  nas  some  form  of  system  isolation  pronibit- 
ing  tne  users  from  altering  the  system's  isolation  method. 

Inis  paper  presents  an  introduction  to  assignment,  ana 
several  simple  examples  have  been  investigated.  Consiaeraoie 
researen  effort  is  still  necessary.  Of  particular  interest  is 
tne  use  of  tne  assignment  teenni^ue  as  a  guide  in  the  construc¬ 
tion  of  new  mechanisms  to  meet  classes  of  policies  of  broau 
interest.  Assignment  researen  has  already  provided  considerable 
insight  to  tne  nature  of  security  enforcement,  providing  a  means 
of  formally  presenting  tne  cnaracteristics  of  mecnanisms  and  pol¬ 
icies.  Mecnanisms  can  be  categorized  by  the  type  of  enforcement 
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